[Samba] Problem validating with LDAP and Samba3.0.1debian

Andrew Bartlett abartlet at samba.org
Sun Feb 15 02:16:50 GMT 2004 

On Sun, 2004-02-15 at 13:12, Torben Thomsen wrote:
> Hi,
> 
> I'm running openldap and samba3.0.1 from my debian system, but I have 
> used many many hours trying to get samba to validate users on the 
> ldap... And is now turning to the last resort ...


> access to attribute=userPassword
>          by dn="cn=admin,dc=login" write
>          by anonymous auth
>          by self write
>          by * none
> 
> access to dn.base="" by * read
> 
> access to *
>          by dn="cn=admin,dc=login" write
>          by * read

You should also restrict access to sambaNTpassword and sambaLMpassword,
but that's a matter for after this is working.

> Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0] 
> auth/auth_sam.c:check_sam_security(221)
> 
> Feb 14 21:04:54 compaq smbd[3754]:   check_sam_security: 
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

This means that the local unix user (the one with exactly the same name
as the Samba user) does not exist.

> So, it seems that the samba-backend recognizes the Administrator, with 
> the correct password, but still throws a NT_STATUS_NO_SUCH_USER
> 
> I susepect it has something to do with the unix-user sync, but i have no 
> idea, at the moment how to deal with this problem!

Populate LDAP with posixAccount attributes, and configure nss_ldap to
talk to the same ldap server.  This will allow 'getent passwd' to
succeed (showing your samba users), and Samba will then work.

> In the future i would like to sync the samba-user with the unix-user, 
> but there is still a LOONG way into the XP-pile before that problem has 
> priority....

This is now your priority, as it is required to make it work :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040215/bf59b9c9/attachment.bin

More information about the samba mailing list